How to conduct a risk workshop

The steps Humana takes to align business units with its ERM strategies

Humana is a company of 50,000 people, so assessing and addressing all
the risks that each segment of the company encounters is no easy feat.

For years, Humana, a multibillion-dollar player in managed health
care and health insurance, had a top-down approach to risk. But a few
years ago, the company decided it wanted to manage risk from the
bottom up as well. It needed more voices to make sure its risk
strategies weren’t solely the view of those in the executive suite.

“As we were doing audit engagements and having conversations with the
businesses, we realized the businesses had a very valuable perspective
that isn’t necessarily transparent up to the top of the organization,”
said Jennifer McCallister, a consulting leader in Humana’s internal
audit consulting group.

So the internal audit department, which facilitates Humana’s
enterprise risk management (ERM) program in concert with the
executive-populated Enterprise Risk Management Committee, decided to
hold risk workshops with the business units. Leadership across the
company is accountable and responsible for the risk management
process, and the workshops are just one of the tools available. The
workshop is one part of a five-step process designed to tease out
risks and give the business unit’s members a better understanding of
exactly what risk is, how it can hamper business-unit objectives, and
how it relates to the company’s ERM strategies (see the sidebar “Three
Top Benefits of Conducting Risk Workshops”).

Humana has been conducting the workshops since 2009, with slight
tweaks along the way. Hundreds of workshops have been done by the
internal audit department. This article breaks down Humana’s five-step process.

PHASE 1: LEADER INTRODUCTION AND BUY-IN

This phase is initiated, in general, by a call from a specific
business area. Maybe there’s a new vice president who wants to gauge
the sentiment about risk in the department.

McCallister said support and tone at the top are critical to the
effectiveness of the workshop and that, in general, the messages about
the workshop come from the department heads, not the internal audit
department. The reason is simple: Employees are far more likely to
listen to instructions from their leader than from someone in another
department, likely someone they’ve never met.

This phase requires gaining support from leadership to use the
workshop approach and tools to identify and assess risks. “We’re
engaging folks that maybe aren’t traditionally approached by internal
audit,” McCallister said. “It’s not us saying, ‘We’re coming in and
we’re doing this.’ It’s us offering to help provide the business with
tools and techniques to identify and assess risks, so it’s essential
that we have buy-in from the top.”

PHASE 2: LEADER RISK DISCUSSION

The VP is briefed on the company’s approach to ERM and given an
overview of the workshop process. The leader also gets a chance to
provide perspective on department strategy and objectives and to point
out risks. “We ask them, ‘Do you have any key risks that are top of
mind? Is there anything that’s giving you heartburn?’ ” McCallister said.

This phase was one of the tweaks to the workshop process about six
months in. Previously, the VP took part in the risk discussion (Phase
4) at the same time as the employees. This was not always ideal, as
the internal audit team noticed employees tended to be more candid
without their leader in the room.

“We wanted to foster an environment where employees could openly
share their perspectives on risk, so we decided to get the leader’s
perspective first and give the option to participate in the workshop,”
McCallister said. “Most times, the leader is good with having the risk
discussion first. This phase helps us to understand risk from that
leader’s perspective and helps to provide context for the workshop.”

PHASE 3: EDUCATION AND SURVEY

Employees receive from their VP a document that gives an overview of
Humana’s ERM strategy and expectations for the workshop itself, as
well as definitions of a few key terms, such as “mitigation” and “controls.”

In the same email, they receive a link to an online survey. They have
about two weeks to complete the survey, which takes 10–15 minutes. The
survey starts with the same four statements for everyone (see the
sidebar “Risk Culture Measures”).

Then, the questions become more open-ended. Employees are asked about
the department’s top financial, strategic, compliance, and operational
risks. The survey can be tailored to ask specific questions about the department.

The internal audit team then analyzes the survey results. They group
open-ended comments into categories, a process McCallister calls
“affinitizing,” and then try to translate the voice of the survey
respondents into risk statements.

PHASE 4: WORKSHOP

The workshop itself takes, on average, half a day, but it can take
longer depending on the scope and number of people attending. During
this phase, internal audit continues the conversation with the members
of the business area, this time with old-fashioned, in-person
conversation and not an email or online survey.

First is yet another introduction to Humana’s ERM approach and how it
ties in with that business area. Then internal audit goes over the
survey results, both for the risk culture statement responses and the
open-ended survey questions. If the answers show any pressing
concerns, internal audit facilitates conversations to address those
during this phase.

Workshop participants then discuss with facilitators the business
unit’s primary objectives and goals. Once these are identified,
workshop participants are prompted to consider the objectives and
goals as they progress through the workshop. Then risk statements that
were formulated by internal audit based on the survey results are
shared with the group. The statements are discussed in detail and
altered as needed based on the advice of the workshop participants.
The process relies on the conversations about the best way to phrase a
risk statement so that it makes sense and is relevant to the
department, not just to the person who mentioned the risk in the survey.

“We will ask, ‘What does this mean to you?’ ” McCallister said.
“Sometimes, we hear, ‘I have no idea.’ Or ‘I see where you’re going,
but it’s not quite right.’ We make sure everyone’s comfortable with
the wording of each risk statement.”

Then the workshop participants are asked if any risks have been left
out. “We use a risk framework as a brainstorming tool,” McCallister
said. “We ask participants to review the framework as a way to make
sure they’ve considered all types of risks.”

Once all the risks have been compiled, they are ranked and
prioritized. Humana uses a grid similar to other companies’ heat maps,
but it has one key difference. The X-axis is for “impact”—the farther
out, the greater the potential impact. But the Y-axis doesn’t measure
the likelihood that the risk will occur. Instead, its measure is “how
well managed” the risk is—the farther out, the worse the risk is managed.

Employees rate impact on a three-point scale: high, medium, and low.
They have three choices about how a risk is being managed: well,
somewhat, or not at all.

Those risks are then plotted on a risk map, and specifically designed
voting software orders the risks by impact and level of management.
Then they are prioritized by employee input. Risk 1 is compared to
Risk 2, and employees are asked, “Which one is riskier?” The riskier
of the two is then compared to Risk 3 and so on.

It’s possible that the risks in the top right of the risk map (those
that have the highest impact and the lowest level of management) are
not the top priority. McCallister said this is because the mitigation
of a less serious risk can lead to the mitigation of the so-called top risks.

“Think about the concept of low-hanging fruit,” she said. “If the
optimization of a less severe risk requires fewer resources and has a
positive impact on one or more of the higher-rated risks, the business
will often prioritize those efforts over a risk that requires more resources.”

PHASE 5: FINAL DELIVERABLE

The goal is to have a final report two weeks after the workshop. But
that report’s first draft is in the hands of the business unit leader
two days after the workshop.

“The report is used by management to circle back and look at their
strategy,” McCallister said. “They want to know if there are risks in
this report that are not a part of their strategy. It can also be used
by internal audit to see if there’s some risk we want to check on.”

Internal audit also compares the results of each workshop with those
of others and applies the results to the company’s overall risk
framework. The data can begin to show whether the same types of risks
keep popping up across the company.

The process has resulted in two specific risks—ones that Humana
declined to disclose, but that came up regularly in workshops—being
proposed to the ERM committee to be added to the list of top
enterprise risks.

Risk Culture Measures

In the survey before any risk workshop, Humana asks its employees to
respond to four statements relating to risk culture. No matter the
department, all employees are asked to rate the same four statements
on a Likert scale (strongly agree, agree, neutral, disagree, strongly
disagree), along with the option to answer “I don’t know.”

The four statements are:

I feel comfortable with my ability to identify and assess risks
that may materially impact my business segment.

Management has provided a framework (common language and
methodology) with which I can evaluate risks and controls in my part
of the business.

I periodically identify key risks in my area of responsibility and
communicate them to my leader.

The leadership team I am a part of fosters an open and
collaborative discussion around risk.

“This helps us to trend risk culture across the organization,” said
Jennifer McCallister, a consulting leader in Humana’s internal audit
consulting group. “Are there pockets of the company that don’t like to
talk about risk or are not encouraged to talk about risk?”

Three Top Benefits of Conducting Risk Workshops

The process got people more conversant about risk.
Jennifer McCallister, consulting leader in Humana’s internal audit
consulting group, didn’t want to diminish the value of the final
report on each business unit’s risk workshop, but she believes the
workshop itself is vital. “Most of the value that the participants are
identifying is through having the conversations, getting people in a
room, and understanding different perspectives, so that they can come
to consensus on where a certain risk falls in relation to their
business area but also in relation to the enterprise,” McCallister said.

The process led to the creation of risk
ambassadors. McCallister said that internal audit’s
phone rings more now because workshop participants are sharing their
experience with others. The “ambassadors” are also used as a backup if
a business unit’s leader is skeptical about the value of the workshop
process. “If they have concerns, I encourage them to contact someone
who has already done a workshop,” she said. “Once they go through the
workshop, they have a better understanding of risk and what its impact is.”

The process can be duplicated for recently acquired
entities. Humana has made numerous acquisitions over the
years and is likely to continue to look for growth opportunities. The
workshop process can help a soon-to-be subsidiary become more easily
integrated with Humana. The process can help both sides understand the
other’s risk environment and give the subsidiary a chance to leverage
some of Humana’s risk-assessment tools.

EXECUTIVE SUMMARY

Humana had top-down risk management practices in place, but it
wanted a bottom-up approach as well. The company thought it
could spread the word about risk through a series of risk workshops.

The first phase of the process is to gain buy-in from
executives. The messages about the reasons for the workshops
and instructions on how to start the process are sent by department
leaders, not internal audit.

Phases 2 and 3 involve educating both the department heads and
the managers who will take part. A survey is used to gauge
the department’s risk culture.

Phase 4 is the workshop itself. This involves a
series of conversations with the survey participants, leading to the
creation of department-specific risk statements, as well as ranking
and prioritizing the department’s risks.

The final phase is a report that sums up the department’s top
risks. The benefits of the workshop go beyond that one
document. The process has made many in the company more conversant
about risk management.

Neil Amato is a JofA senior editor. To
comment on this article or to suggest an idea for another article,
contact him at namato@aicpa.org or 919-402-2187.

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.